ipf - sample rulesets

fbsd_user fbsd_user at a1poweruser.com
Thu Oct 9 06:39:36 PDT 2003 

I stopped using IPFW because my keep-state rules would not work on
cable internet connection. I have found that IPFILTER is much easier
to use. Here is my rules file for you to use as sample.

#################################################################
# Outside Interface to Public internet  (Outbound Section)
# Interrogate packets originating from behind the firewall, private
net.
# destine for the public internet.
#################################################################

# Allow out access to my ISP's Domain name server.
@100 pass out quick on rl0 proto tcp from any to 24.50.201.66 port =
53 flags S keep state
@101 pass out quick on rl0 proto udp from any to 24.50.201.66 port =
53 keep state
@102 pass out quick on rl0 proto tcp from any to 24.50.201.67 port =
53 flags S keep state
@103 pass out quick on rl0 proto udp from any to 24.50.201.67 port =
53 keep state
@104 pass out quick on rl0 proto tcp from any to 24.50.201.69 port =
53 flags S keep state
@105 pass out quick on rl0 proto udp from any to 24.50.201.69 port =
53 keep state

# Allow out access to my ISP's DHCP server.
@106 pass out quick on rl0 proto udp from any to 24.50.201.66 port =
67 keep state

# Allow out non-secure standard www function
@110 pass out quick on rl0 proto tcp from any to any port = 80 flags
S keep state

# Allow out secure www function https over TLS SSL
@115 pass out quick on rl0 proto tcp from any to any port = 443
flags S keep state

# Allow out send & get email function
@130 pass out quick on rl0 proto tcp from any to any port = 110
flags S keep state
@131 pass out quick on rl0 proto tcp from any to any port = 25 flags
S keep state

# Allow out Time
@140 pass out quick on rl0 proto tcp from any to any port = 37 keep
state

# Allow out nntp news
#@150 pass out quick on rl0 proto tcp from any to any port = 119
@150 pass out quick on rl0 proto tcp from any to any port = 119
flags S keep state

# Allow out passive FTP for LAN PC FTP to public Internet
@160 pass out quick on rl0 proto tcp from any to any port = 21 flags
S keep state
@161 pass out quick on rl0 proto tcp from any to any port > 1023
flags S keep state

# Allow out ping to public Internet
@170 pass out quick on rl0 proto icmp from any to any icmp-type 8
keep state

# Allow out whois for LAN PC to public Internet
@172 pass out quick on rl0 proto tcp from any to any port = 43 flags
S keep state

# Allow out traceroute to public Internet
#pass out quick on rl0 proto udp from any to any port 33434 > <
33690 keep state

# Deny Everything else trying to get out.
@199 block out log quick on rl0 all


#################################################################
# Outside Interface to Public internet  (Inbound Section)
# Interrogate packets originating from public internet
# destine for my private net.
#################################################################

# Allow traffic in from ISP's DHCP server.
@300 pass in quick on rl0 proto udp from 24.50.201.66 to any port =
68 keep state
.201.66 to any port = 68 keep state

# Deny all Adelphia broadcast junk stuff so it does not show in log
@310 block in quick on rl0 proto udp from any to 255.255.255.255
@311 block in quick on rl0 proto tcp/udp from 0.0.0.0 to any
@312 block in quick on rl0 proto igmp from any to any

# Allow in non-secure standard www function
@320 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port
= 80 flags S keep state

# Allow in Telnet
@330 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port
= 23 flags S keep state

# Allow in ping from public Internet
@340 pass in quick on rl0 proto icmp from 63.70.155.0/24 to any
icmp-type 8 keep state

# Deny ping so it does not show in log
@350 block in quick on rl0 proto icmp all

# Deny ident so it does not show in log
@351 block in quick on rl0 proto tcp from any to any port = 113

# Block and log all remaining traffic coming into the firewall
@399 block in log quick on rl0 all


#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
#block return-rst in log quick on rl0 proto tcp from any to any
#block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp
from any to any
#block in log quick on rl0 all

#################################################################
# Inside Interface
#################################################################

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
@500 pass out quick on xl0 proto tcp from any to any
@501 pass out quick on xl0 proto udp from any to any
@502 pass out quick on xl0 proto icmp from any to any
@503 block out quick on xl0 all



#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
@520 pass in quick on xl0 proto tcp from any to any
@501 pass in quick on xl0 proto udp from any to any
@502 pass in quick on xl0 proto icmp from any to any
@503 block in quick on xl0 all


#################################################################
# Loopback Interface
#################################################################

#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
@700 pass in quick on lo0 all
@701 pass out quick on lo0 all



-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
bsd at perimeter.co.za
Sent: Thursday, October 09, 2003 8:59 AM
To: FreeBSD Question List
Subject: ipf - sample rulesets

Hi all.

Are there any good references and/or sample ipf rulesets that I
could use to
look-and-learn from.

I am quite familiar with ipfw, but I'm struggling with converting my
thinking on issues like the "setup" and "established" keywords of
ipfw.

Thanks in advance for any pointers.

Regards,
Patrick.
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list